and the build.xml should be placed directly under the Secure-JAX-WS-Example directory.

3:Make sure that the weblogic server is running and according to the values of weblogic username/password/localhost/port/ etc adjust the values in the build.xml file.

4:Now open a command prompt and run the setDomainEnv.cmd file to set the environment required for executing the ant task defined by weblogic and used in the build.xml file.

5: After running the setDomainEnv.cmd on the same command prompt move to your working dir i.e. Secure-JAX-WS-Example directory:

execute the following ant task one by one :

ant build-service(Press Enter)

If the result is successful the execute the next task:

ant deploy

Now you can login to the Admin Console of the weblogic server and go the Deployments tab:

Within Deployment summary we can the web service has been deployed :(See the below Snap Shot)

Now Click on the above UsernameTokenEar :

Then click on the Testing tab present on the top of the Weblogic Admin Console.

Then Expand the HelloService so that you can see the below page:

Now Click on the Test Client that is shown in front of /Hello/HelloService.

You will see another window showing some page like below:

Weblogic Web Service Test Client window

Now type some string in the give space and click on the sayHello button available:

You will see the following response:

As you can clearly see the error message that the there is some invalid Security Fault.

This is because the web service is now expecting the username and password along with the SOAP request and since Weblogic Client does not has any way to pass the username/password token this web service is not invoked successfully.

So, following these steps you can make your JAX-WS web service secure.

Now In order to invoke this web service you will have to write some clients that can pass username and password with the request and can successfully invoke the service.

14 Comments

After exploring a number of the blog articles on your website, I seriously like your way of blogging. I book-marked it to my bookmark webpage list and will be checking back soon. Please visit my website as well and let me know your opinion.

Anyone trying to do this with EAR in archived format, I believe you can create a “policies” directory in EJB’s MET-INF or WAR’s WEB-INF and place policy XML files there. Then in URI, specify “policy:filename.xml”. There is also a classloader option documented in weblogic documentation… it involves setting a JVM property.

I was just wondering if there is any way to set custom UserName/Password for the Secure Webservice Client for them to invoke.

I tried above sample and its working like charm. But What if i don’t want to share my Weblogic UserId/pwd with the clients OR it could be possible that i may have different clients for my WebService and i want all clients to use different set of Userid/pwd for authentication.

Thanks for these step-by-step articles, I like them very much and appreciate you effort. I have a query related with the webservice security and single sing-on, I would like to implement single sign-on and also want that the web application that is hosting my webservice participates in it.

I have already configured the single sign-on for two web application, as per my knowledge, web browser plays a very important role in implementing the same. However, in case of web service, we can call the webservice from a servlet also.

To be more precise, suppose there are two web apllications: Application A: is acting as SAML Identity provider and web application having a servlet which will call the web service deployed in the application B. Application B: This is another web application deployed on a different domain and should participate in the single sign-on process. If I leave the webservice aside, I have configured the weblogic domains such that I can access a secured resource ( say jsp page) of Application B via application A without asking the authentication as I have already authenticated with application A. Actually Application A is passing the SAML authentication token to application B. So i can log in to application B without re-authentication. however, now I have added one web service in application and want it to be secured and participates in the single sign-on, that is, want to configure application A to send the token even in case of a web service call, and configure application B to accept and validate the token and execute the webservice if found a valid token. Do you have any idea on this. Please feel free to ask more clarification as I am bad in explaining the things.

The exception maybe coming while you are using the code as a webapp because weblogic is using the java net package when the code is executed from within the container. Try using the flag: -Djava.protocol.handler.pkgs=weblogic.net

We are getting one exception javax.xml.ws.WebServiceException: javax.xml.rpc.JAXRPCException: weblogic.xml.crypto.wss.WSSecurityException: Failed to add Signature. at weblogic.wsee.jaxws.framework.jaxrpc.TubeFactory$JAXRPCTube.processRequest(TubeFactory.java:205) at weblogic.wsee.jaxws.tubeline.FlowControlTube.processRequest(FlowControlTube.java:99) at com.sun.xml.ws.api.pipe.Fiber.__doRun while trying to invoke a webservice from a webapp deployed on weblogic . What can be the issue ? While running the client as a standalone main class this issue doesn’t occur.

This is only for the educational purpose. None of the presented sample are for the production environment. We can use the default available policy files with the weblogic server to secure the web services.